Bug 1316653
| Summary: | pki ca-cert-request-submit fails presumably because of missing authentication even if it should not require any | |||
|---|---|---|---|---|
| Product: | Red Hat Enterprise Linux 7 | Reporter: | Jan Pazdziora (Red Hat) <jpazdziora> | |
| Component: | pki-core | Assignee: | Endi Sukma Dewata <edewata> | |
| Status: | CLOSED ERRATA | QA Contact: | Asha Akkiangady <aakkiang> | |
| Severity: | unspecified | Docs Contact: | ||
| Priority: | high | |||
| Version: | 7.3 | CC: | alee, arubin, edewata, enewland, gkapoor, jpazdziora, jreznik, ksiddiqu, mharmsen, mkosek, nkinder, pvoborni | |
| Target Milestone: | rc | Keywords: | ZStream | |
| Target Release: | 7.4 | |||
| Hardware: | Unspecified | |||
| OS: | Unspecified | |||
| Whiteboard: | ||||
| Fixed In Version: | pki-core-10.4.0-1.el7 | Doc Type: | No Doc Update | |
| Doc Text: |
undefined
|
Story Points: | --- | |
| Clone Of: | ||||
| : | 1404175 (view as bug list) | Environment: | ||
| Last Closed: | 2017-08-01 22:46:01 UTC | Type: | Bug | |
| Regression: | --- | Mount Type: | --- | |
| Documentation: | --- | CRM: | ||
| Verified Versions: | Category: | --- | ||
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | ||
| Cloudforms Team: | --- | Target Upstream Version: | ||
| Embargoed: | ||||
| Bug Depends On: | ||||
| Bug Blocks: | 1366361, 1404175 | |||
Upstream ticket: https://fedorahosted.org/pki/ticket/2289 The caInstallCACert is actually an internal profile used during PKI server installation. Also, it requires token authentication which is currently not supported by the pki CLI. Can you use the caCACert profile instead? It should not require authentication. Regardless, the man page needs to be updated since some profiles actually do require authentication: http://pki.fedoraproject.org/wiki/Certificate_Profiles. I confirm that with template.xml generated by pki ca-cert-request-profile-show caCACert --output template.xml I get # pki ca-cert-request-submit template.xml ; echo $? PKIException: Unknown Certificate Request Type 255 which at least on surface seems correct -- I did not put the CSR in. Per PKI Bug Council of 08/31/2016: * Consider this bug for a RHEL 7.3 Batch 1 Update Candidate (MAN page) Fixed in master: * 52694cd6acf81446623b6d24947d8d3afdc8536c Request rhel-7.3.z ? flag (In reply to Matthew Harmsen from comment #8) > Request rhel-7.3.z ? flag also, provide justification (In reply to Matthew Harmsen from comment #9) > (In reply to Matthew Harmsen from comment #8) > > Request rhel-7.3.z ? flag > > also, provide justification See comment#1 for justification for fixing this in a z-stream update. Fixed in master: * 52694cd6acf81446623b6d24947d8d3afdc8536c Cherry-picked to DOGTAG_10_3_BRANCH: * b99469a9805df722a58fe20ca7160de706b69e7c Cherry-picked to DOGTAG_10_3_RHEL_BRANCH: * 5332079797f763e9997685eaf188206c4631daa8 Cherry-picked to DOGTAG_10_3_RHEL_UNRELEASED_BRANCH: * aa32e55a3812a2f9cee82f3e26e9f543a345c789 Test build: rpm -qa pki-ca
pki-ca-10.4.1-2.el7.noarch
Test Steps:
1. Install pki-ca.
2. Create csr using openssl req -new -nodes -out host.csr
3. pki ca-cert-request-profile-show caCACert --output template.xml
4. submit the csr to any externalCA .
Here i have used another dogtag CA to get the csr signed.
# pki -h <ip1 of CA> -p <http port of CA> ca-cert-request-submit template.xml
-----------------------------
Submitted certificate request
-----------------------------
Request ID: 49990004
Type: enrollment
Request Status: pending
Operation Result: success
5. Make sure to include request type (either pkcs10 or crmf) and cert request fileds.
Case 1: If we don't include request type in template.xml we would hit below exception:
#pki ca-cert-request-submit template.xml
PKIException: Unknown Certificate Request Type
6. Try to approve the csr from the CA to which we have send the request.Below if the output once signed by CA.
# pki -h <ip1 of CA> -p <http port of CA ca-cert-request-show 49990004
------------------------------
Certificate request "49990004"
------------------------------
Request ID: 49990004
Type: enrollment
Request Status: complete
Operation Result: success
Certificate ID: 0x5ffe0001
##############################################################################
Details of working template.xml::
##############################################################################
<?xml version="1.0" encoding="UTF-8" standalone="yes"?>
<CertEnrollmentRequest>
<Attributes/>
<ProfileID>caCACert</ProfileID>
<Renewal>false</Renewal>
<RemoteHost></RemoteHost>
<RemoteAddress></RemoteAddress>
<Input id="i1">
<ClassID>certReqInputImpl</ClassID>
<Name>Certificate Request Input</Name>
<Attribute name="cert_request_type">
<Value>pkcs10</Value>
<Descriptor>
<Syntax>cert_request_type</Syntax>
<Description>Certificate Request Type</Description>
</Descriptor>
</Attribute>
<Attribute name="cert_request">
<Value>
-----BEGIN CERTIFICATE REQUEST-----
MIICljCCAX4CAQAwUTELMAkGA1UEBhMCWFgxFTATBgNVBAcMDERlZmF1bHQgQ2l0
eTEcMBoGA1UECgwTRGVmYXVsdCBDb21wYW55IEx0ZDENMAsGA1UEAwwEVGVzdDCC
ASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAMcITTHKipicCgA58PVPxalU
MVBCJTDaRrW4eaSRt3qgsDMhrZ34t8voQni0Pabfw7sp+lUtjUm1QJhmZhTyk8q2
1668KSM36jzbLq32XNdWdPtRTDdE9ahUHzm/uEraRfvlb7WkQIoJDYI9yhie7dr8
F/LKZ9LNRoYgjWUK7z3BDU2NMmb/AaZDnBNKUFB3XXi1QsLnSc/Sy4kakAcPVqf6
91mDToHfOQdLJ2/aiUyQ6jC4tkS/YJUQyPb0cUen7bFwsj6orKA30W5umw+J3Bxl
9TOuaffNR2/154hdoc8tmJqEMqJ/UX5PN5RtHTEtqNuceNda8QUpJjxMk1MxwFkC
AwEAAaAAMA0GCSqGSIb3DQEBCwUAA4IBAQAouE0d8LeP9BdYnTsq4JLSx2d9mT0U
/3pKhqyBNcwualUUAeUJcPuL7SXE6p65D5VyjnpyAY2Lov4XVDoA+zhGOtgimmT8
z1V/fwfaUNavkSRslgUyO9YMuXIB5dymRLoEm5iRV1C10q/NvsAImdb4oxf5s63w
lhsnzZPAdvMncP1TzskkeMAxX7ifU3vU97MY52gf5wzh9sO0Ex35pHGHgZ0HaFJ2
engvU09AW9cHJmALGXr9+/ZPYEpWtuMiRS9t/ZA02v5VNd6+RC9OJvl/lZcPtsBg
fZY1POP5GdKbuAfeJ5Vgsppv0i/lO5Sg4vGWkgDwHo6dmPXieSqBCACB
-----END CERTIFICATE REQUEST-----
</Value>
<Descriptor>
<Syntax>cert_request</Syntax>
<Description>Certificate Request</Description>
</Descriptor>
</Attribute>
</Input>
<Input id="i2">
<ClassID>submitterInfoInputImpl</ClassID>
<Name>Requestor Information</Name>
<Attribute name="requestor_name">
<Value>Test</Value>
<Descriptor>
<Syntax>string</Syntax>
<Description>Requestor Name</Description>
</Descriptor>
</Attribute>
<Attribute name="requestor_email">
<Value></Value>
<Descriptor>
<Syntax>string</Syntax>
<Description>Requestor Email</Description>
</Descriptor>
</Attribute>
<Attribute name="requestor_phone">
<Value></Value>
<Descriptor>
<Syntax>string</Syntax>
<Description>Requestor Phone</Description>
</Descriptor>
</Attribute>
</Input>
</CertEnrollmentRequest>
Test Case 2: we don't use profile "caInstallCACert" because it is internal.
Verify the http://pki.fedoraproject.org/wiki/CA_Certificate_Profiles and man pki-cert and verified "caInstallCACert" is not used for cert approval.
Since the problem described in this bug report should be resolved in a recent advisory, it has been closed with a resolution of ERRATA. For information on the advisory, and where to find the updated files, follow the link below. If the solution does not work for you, open a new bug report. https://access.redhat.com/errata/RHBA-2017:2110 |
Description of problem: The man pki-cert(1) says: Then, fill in the values in the XML file and submit the request for review. This can be done without authentication. pki ca-cert-request-submit <request file> Attempt to do that fails. Version-Release number of selected component (if applicable): pki-tools-10.2.5-6.el7.x86_64 ipa-server-4.2.0-15.el7.x86_64 How reproducible: Deterministic. Steps to Reproduce: 1. Install and configure FreeIPA/IdM server. 2. Run pki ca-cert-request-profile-find 3. Run pki ca-cert-request-profile-show caInstallCACert --output template.xml 4. Run pki ca-cert-request-submit template.xml ; echo $? Actual results: UnauthorizedException: AuthCredentials.set() 255 Expected results: No error, exit status 0, and the CSR submitted. Additional info: This is minimization of the question from https://www.redhat.com/archives/freeipa-users/2015-May/msg00416.html. Note that I did not edit the template.xml produced by ca-cert-request-profile-show in any way to minimize the report. Even if the /CertEnrollmentRequest/Input[@id="i1"]/Attribute[@name="cert_request"]/value contains Base64-encoded CSR, I get the same error though, so I assume the template.xml does not play any role at this point (and if it does, some other error than UnauthorizedException: AuthCredentials.set() should be shown).